[Snort-users] reputation preprocessor and IDS

waldo kitty wkitty42 at ...14940...
Tue Jun 4 16:04:56 EDT 2013

On 6/4/2013 15:36, JJC wrote:
> Yes, the IP Rep preprocessor works in passive mode just like it does in inline
> mode, other than drop of course.

correct on the drop method... we don't even use it :)

i'll have to dig and see if there is/was a bug that was fixed from to 
the latest snort versions... i whitelisted a CIDR block and they still generate 
alerts... specifically, we saw alerts on 129:20 when snort was reloading after 
setting the CIDR block in the whitelist file and bouncing snort with a complete 
exit and startup... we've also seen 128:4 when sshing into that sensor on a 
non-standard port but we DO have that non-standard port listed in the ssh config 
section of snort.conf... these alerts happen for only a short time and then 
snort seems to settle down and stop issuing them even though those same 
connections are still active or being terminated and restarted again...

i've just tested again an hour after the above alerts were logged and am seeing 
the same alerts as noted above... the traffic is very light compared to what 
many systems see... it is only a 100M internal LAN... there /may/ be some 
swapping going on on that test sensor... i'm seeing 7M of swap space currently 
used but i really don't think that that is getting in the way here...

> On Tue, Jun 4, 2013 at 1:27 PM, waldo kitty <wkitty42 at ...14940...
> <mailto:wkitty42 at ...14940...>> wrote:
>     does the reputation preprocessor work in IDS (non-inline) mode?
>     eg: if one places an IP in the whitelist, that IP still generates alerts. it
>     should not, should it? shouldn't it just pass right on thru all processing?

NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

More information about the Snort-users mailing list